This invention relates generally to key escrow in a communication system, and specifically to key recovery for accessing an encrypted communication.
Communication plays a vital role in our information society, where telecommunications and the internet are becoming the accepted channels of communicating messages and information. As more and more companies, governments, and organizations become connected to these channels of communication, a need arises to protect the privacy of the communications. Encryption is one method of ensuring that only the sender and recipient of a message have access to the content.
Cryptography is one of the main tools used to ensure private communications, control access to communications, secure electronic payments, provide corporate security, etc. Cryptography generally relates to all aspects of secure communications, including authentication, digital signatures, electronic money, and others.
For a general understanding, some of the terms used in cryptography are explained. The message is called xe2x80x9cplaintextxe2x80x9d, and the encrypted message is called xe2x80x9cciphertextxe2x80x9d. The process of retrieving the plaintext from the ciphertext is referred to as xe2x80x9cdecryptionxe2x80x9d. Simply, encryption encodes a message so that it changes in form, hiding its contents from everyone but the sender and recipient. After receipt, decryption recovers the original message.
Both encryption and decryption typically require the use of a xe2x80x9ckeyxe2x80x9d, which may be thought of as the mapping between plaintext and ciphertext. The message is encrypted with a key and decrypted with a key, where the keys may be the same or different. Key-based algorithms used for encryption generally fall into Two (2) categories: symmetric and asymmetric. Symmetric algorithms use one key for both encryption and decryption.
xe2x80x9cPublic-keyxe2x80x9d algorithms are asymmetric algorithms which require a key pair: a secret or private key (D) for decryption, and a public key (E) for encryption. For a message (P), the encrypted message is identified as E(P) and the decrypted message as D(E(P))=P. The encryption key is public allowing anyone to encrypt a message, however, the decryption key is private. The message cannot be decrypted without using the private key. Some encryption schemes use a combination of symmetric and asymmetric algorithms.
It is often necessary or desirable for a government to intercept an encrypted communication where unlawful and/or harmful activity is suspected. Similarly, in a corporate environment, it is often desirable to monitor communications and prevent loss of confidential and/or proprietary information. Additionally, proprietary information, such as software source code, may need to be accessed when a company is in bankruptcy, or to allow users to debug the software, etc.
A problem exists in these type situations, as monitoring an encrypted communication requires knowledge of at least one of the keys. Several methods have been developed that allow monitoring of an encrypted communication without compromising security.
According to one such method, a party or parties provide the key(s) to an escrow service. The key is then revealed on a need-to-know basis. When the escrow service receives a request to monitor a communication, the escrow service determines if the request is valid. Validation may involve verifying a court order, etc. According to one escrow scheme, the key is broken into pieces and each piece is provided to a separate escrow agents. All of the agents must agree to allow the monitoring operation or the key cannot be retrieved. In this system, however, a single agent has the power to prevent the monitor operation. Each of the agents receives at least a piece of knowledge of the key, therefore, in the single holdout situation, it may be possible for the other agents to collaborate and determine the missing piece of the key. Even if not all of the agents collaborate, the security of the message is considerably weakened because much less searching is required if parts of the key are recovered.
In another system, the message is first encrypted by a first agent, then by a second, until all agents have encrypted the message. For example, for Three (3) agents, the final encrypted message is represented as E3(E2(E1(P))). The encrypted message is then decrypted in the reverse order, D1(D2(D3(E3(E2(E1(P)))))). Each public key, Ei, belongs to a separate agent. Each agent has a corresponding private key, Di. The order of encryption and decryption is important. If one link in the encryption and/or decryption breaks, the entire chain breaks and the message cannot be intercepted. The agents in this system receive information about the key, thus potentially compromising the security of the communication system. Also, it is necessary for all the agents to cooperate, as the missing private key is not easily determined.
In the presently available monitoring schemes, multiple agents typically have access to at least a portion of the key information, which is an undesirable condition for the overall security of the communication. Similarly, all of the agents are required to make a decision to monitor, giving a single agent holdout power.
A need therefore exists for a method of key escrow where security of the communication system is maintained by providing key information to a minimum number of parties, while providing a variety of scenarios for enabling monitoring. It is additionally desirable that decision makers, i.e. escrow agents, have little or no key information, but the key is kept independent from the agents.